Impact of Shamoon on SCADA Security

Monday, October 29, 2012 @ 09:10 AM gHale

Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.By Heather MacKenzie
The most destructive post-Stuxnet discovery of advanced threats is a malicious malware known as Shamoon. Like Stuxnet, Duqu and Flame, it targeted energy companies in the Middle East, this time Saudi Aramco, Qatar’s RasGas and likely other oil and gas concerns in the region.

It is a new species however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal business information as Flame and Duqu did. Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes those numbers are correct) workstations of Saudi Aramco (and who knows how many more at other firms).

Nothing this damaging has been seen in a while. As a Kaspersky Lab expert commented “Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”

First discovered August 16 by Symantec, Kaspersky Labs, and Seculert, Shamoon was introduced into Saudi Aramco by a disgruntled insider that had full access to the system. It took control of an Internet connected computer and used that computer to communicate back to an external Command-and-Control server. It also infected other computers running Microsoft Windows that were not Internet connected. This type of malware is a “botnet” which is a collection of compromised computers under the control of a single individual or group.

The name Shamoon comes from a folder name within the malware executable: “c:\shamoon\ArabianGulf\wiper\release.pdb”

While the significance of the word “Shamoon” is not known, it is speculated that it is the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.

Symantec describes Shamoon as having 3 components:1. Dropper – the main component and source of the original infection. It drops components 2 and 3 onto the infected computer, copies itself to network shares, executes itself and creates a service to start itself whenever Windows starts.

2. Wiper – this is the destructive module. It compiles a list of files from specific locations on the infected computers, erases them, and sends information about the files back to the attacker. The erased files are overwritten with corrupted jpeg files, “obstructing any potential file recovery by the victim.”

While all of this sounds sophisticated, Kaspersky Labs concluded, due to a number of errors found in the code, the developers of Shamoon are “skilled amateurs.” They are not in the same league as the sophisticated coders of Stuxnet and Flame.

On August 15 Saudi Aramco posted on its Facebook page “…the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network. The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network.”

However, as CIO blogger Constantine von Hoffman said, “You don’t destroy 30,000 workstations without causing a vast amount of damage. It might be possible that the attack didn’t directly hit oil production or harm the flow of oil out of the ground. No one I’ve spoken to has suggested it did, but it’s clear that if the company’s statement is true then Aramco used a very strict reading of the phrase “oil production.”

von Hoffman went on to question the Saudi Aramco statement that all damage had been repaired by Aug 26. He also wonders, in the days of oil and gas projects being dominated by joint ventures, how other energy companies’ computers could not have been damaged by Shamoon.

Indeed, Leon Panetta, the U.S. Defense Secretary recently described Shamoon as the most destructive attack the business sector has seen to date and a “significant escalation of the cyberthreat.”

Jim Lewis, a computer expert at the Center for Strategic and International Studies (CSIS) in Washington added “There is a really significant dollar cost to this attack. The computers were out for as much as a week and had to be replaced.”

It is now known that the attack was initiated by a disgruntled insider, an Aramco employee, “an extraordinary development in a country where open dissent is banned” who may have been working with the Iranian government.

Bloomburg attributes the attack to a single perpetrator who did not have the skills to do advanced coding or attack the company’s oil production sites. Their view rests on the fact the forensic analysis of the code does not show advanced elements that typically suggest a nation state perpetrator. The motive in this case is believed to come from the disenfranchised Shiite minority in Saudi Arabia’s eastern province.

However, ISSSource describes how “Iran’s Cyber Army” has been building up its capability over time and attributes the attack to Iran working with an insider. It also puts forward two theories about why the Iranians might have instigated it.

One theory is the attacks were motivated by “deep wrath” at the Saudi government because of:
a. The mistreatment of the Shiites by Saudi Aramco.
b. The Saudi government’s assistance to Sunni factions in Syria and Bahrain.

The other theory is the attacks are retaliatory measures against the U.S. for:
a. Stuxnet, the U.S-Israeli backed malware that disrupted Iran’s nuclear enrichment program and
b. Payback for the severe U.S.-imposed sanctions that have sent the Iranian economy into a tailspin.

Shamoon was a destroyer of data on workstations of energy companies in the Arabian Gulf. There is no evidence it had any impact on SCADA or ICS systems.

What does it mean for automation professionals? The good news is that like Stuxnet, Flame and Duqu, Shamoon was highly targeted. But the bad news is that it is another indicator that industry, especially the energy industry is now a target.

You might want to update your risk assessments. Of great concern is the fact this attack lowers the bar for effective disruption of a business. One or more people with skills slightly better than amateurs and a relatively low level of effort were able to penetrate a well-protected network and destroy massive amounts of data (albeit with insider access). In addition, they did it at a scale and speed that is unprecedented.

Imagine the damage that could be done if any group of people with an axe to grind against your organization activates a similar attack against you? The success of Shamoon is sure to attract copycats. This rouses the kind of fear we have when we think of terrorists getting their hands on nuclear weapons. No rules of engagement apply.

Call it “cyber warfare” or “cyber hype,” the bottom line is the information/networked world is facing increased threats and SCADA and ICS systems are part of that world.